Reference Articles:
- User Profile Best Practices for Citrix XenApp
- Customize the Default Local User Profile
- Creating a Mandatory User Profile
- The Cache Option for Offline Files Must Be Disabled on Roaming User Profile Shares
- The "Set roaming profile path for all users logging onto this computer" Group Policy setting also applies to local user accounts in Windows Server 2008
- Deploy Roaming User Profiles
Goal:
Create a profile that can be utilized for all users of a system to either speed logon or set base configurations void of personalization settings.
Prerequisites:
- A "like" operating system (Server class 2008 or newer, Windows desktop OS 7 or newer).
See this article for details. - Network storage*
- Administrative privileges
*Network storage can be avoided by copying the profile locally prior to user access which eliminates the need to have the profile centrally available.
Step-by-Step:
- Select a "clean" machine for creating the user profile. This machine should be ready to deploy as if it were going to production, but should should not have been in use. This eliminates as many divergences from the ideal build as possible.
- Log into the server and create a new local user "ManUser1." (I am utilizing Microsoft Server 2008 R2 in this case.)
- Add the new user to the local administrators group on the server
- Log off of the current session and into the server with the new use
- Customize the user environment as needed
- Alternatively the reference article above for customizing the default profile could be done ahead of time
- Log off of this account and back in as your original administrator account
- Create a network share for central access
- Example: \\MyLab_NAS\MandatoryUser
- Share Permissions: Everyone Full Control
- NTFS Permissions: Follow this TechNet article
- Disable Caching
- Copy the entire folder C:\Users\ManUser1 to the new share
- Rename the folder ManUser1.V2
- Clean the profile:
- Delete the AppData Local and AppData Local Low folders
- Open RegEdit and mount the ntuser.dat hive:
- Search for any instances of "ManUser1" and clear those instances
- Check the various software run and policy locations (Run, Run Once, Policies, etc.) and remove any unwanted software launches / settings
- Set permissions:
- Return to RegEdit with the already mounted the ntuser.dat hive:
- Right-click on "ManUser1" and select permissions
- Delete "ManUser1"
- Add Authenticated Users Full Control
- Unmount ntuser.dat from RegEdit
- In the root of ManUser1.V2, delete files other than NTUser.dat and ntuser.ini (i.e. Log, BLF, etc.)
*For use with Citrix Profile Manager, skip to the next section - Rename ntuser.dat to ntuser.man
- Specify the profile \\MyLab_NAS\MandatoryUser\ManUser1 in the group policy to set mandatory profiles with Server 2008 RDS (XenApp) or newer. For Windows desktop OS, reference this.
- Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles
- Enable: Use mandatory profiles on RD Session Host server
- Enable: Set path for Remote Desktop Services Roaming User Profile
*Remember NOT to include .V2 in your path! - Not run gpudate /force on any clients targeted by the deployed group policy to have the new mandatory profile applied
Citrix User Profile Manager
There a a couple differences when utilizing Citrix UPM 5.x for managing profiles. Your profile created above can still be used (though there is no need to rename it to *.man nor apply the Microsoft group policy). To check out the steps for configuring UPM to for use, check out the Citrix eDocs page here. It is rather straightforward and you have already taken care of all the prerequisites!
Thanks for detailed guide!
ReplyDeleteI'm curious about step 10.2 (Search for any instances of "ManUser1" and clear those instances). Is it the only correct way to cleanup? Maybe it's better to replace ManUser1 with %username%?
Both this and the method I described are valid options.
Delete